# {{output.header}}
# {{{output.link}}}
{{!Only version 1.5.0 and newer support TLS}}
{{#if (minver "1.5.0" form.serverVersion)}}
global
    # {{form.config}} configuration, tweak to your needs
{{#if output.ciphers.length}}
    ssl-default-bind-ciphers {{{join output.ciphers ":"}}}
{{/if}}
{{#if (minver "1.9.0" form.serverVersion)}}
    {{#if (minver "1.1.1" form.opensslVersion)}}
    ssl-default-bind-ciphersuites {{{join output.cipherSuites ":"}}}
    {{/if}}
{{/if}}
    ssl-default-bind-options{{#unless (includes "SSLv3" output.protocols)}} no-sslv3{{/unless}}{{#unless (includes "TLSv1" output.protocols)}} no-tlsv10{{/unless}}{{#unless (includes "TLSv1.1" output.protocols)}} no-tlsv11{{/unless}}{{#unless (includes "TLSv1.2" output.protocols)}} no-tlsv12{{/unless}} no-tls-tickets

{{#if output.ciphers.length}}
    ssl-default-server-ciphers {{{join output.ciphers ":"}}}
{{/if}}
{{#if (minver "1.9.0" form.serverVersion)}}
    {{#if (minver "1.1.1" form.opensslVersion)}}
    ssl-default-server-ciphersuites {{{join output.cipherSuites ":"}}}
    {{/if}}
{{/if}}
    ssl-default-server-options{{#unless (includes "SSLv3" output.protocols)}} no-sslv3{{/unless}}{{#unless (includes "TLSv1" output.protocols)}} no-tlsv10{{/unless}}{{#unless (includes "TLSv1.1" output.protocols)}} no-tlsv11{{/unless}}{{#unless (includes "TLSv1.2" output.protocols)}} no-tlsv12{{/unless}} no-tls-tickets
{{#if output.usesDhe}}

    {{#if (minver "1.6.0" form.serverVersion)}}
    # {{output.dhCommand}} > /path/to/dhparam.pem
    ssl-dh-param-file /path/to/dhparam.pem
    {{else}}
    tune.ssl.default-dh-param 2048
    {{/if}}
{{/if}}

frontend ft_test
    mode    http
    bind    :443 ssl crt /path/to/<cert+privkey+intermediate>{{#if (minver "1.8.0" form.serverVersion)}} alpn h2,http/1.1{{/if}}
    bind    :80
{{#if form.hsts}}
    redirect scheme https code 301 if !{ ssl_fc }

    # HSTS ({{output.hstsMaxAge}} seconds)
    http-response set-header Strict-Transport-Security max-age={{output.hstsMaxAge}}
{{/if}}
{{else}}
Sorry, TLS is not supported in this version of HAProxy.
{{/if}}